PIM Security

Load multicast.anycast.rp.configured.cfg

#IOS-XE
config replace flash:multicast.anycast.rp.configured.cfg
 
#IOS-XR
configure
load bootflash:multicast.anycast.rp.configured.cfg
commit replace
y

R9 and XR14 are configured as Anycast RPs. Configure the following protections:

  • The RPs should not have more than 100 MRIB entries

  • The RPs should only allow Registers for multicast traffic sourced from R1.

  • The RPs should rate limit registers to 8kbps on IOS-XE and a maximum of 250 Register states on IOS-XR

  • The LHRs R5 and XR3 should only allow IGMP Joins to group 239.1.1.0/24. These routers should also limit the total number of IGMP group entries to 100.

Answer

#R9
ip access-l ext ACCEPT_REGISTER
 permit ip host 7.1.7.1 any
!
ip multicast route-limit 100
ip pim register-rate-limit 8000
ip pim accept-register list ACCEPT_REGISTER

#XR4
ipv4 access-list ACCEPT_REGISTER
 permit ip host 7.1.7.1 any
!
router pim
 address-family ipv4
  maximum routes 100
  maximum register-states 250
  accept-register ACCEPT_REGISTER

#R5
ip igmp limit 100
!
ip access-l standard IGMP_FILTER
 permit 239.1.1.0 0.0.0.255
!
int Gi2.525
 ip igmp access-group IGMP_FILTER

#XR3
ipv4 access-list IGMP_FILTER
 10 permit ipv4 239.1.1.0/24 any
!
router igmp
 maximum groups 100
 !
 interface GigabitEthernet0/0/0/0.543
  access-group IGMP_FILTER

Explanation

The multicast group range is quite large (224/4). This presents an attack vector on the router. A bad actor can exhaust the resources on a router by creating thounsands of multicast state entries. To prevent this, we can limit the number of MRIB entries and IGMP entries.

#IOS-XE
ip multicast route-limit 100
!
ip igmp limit 100

#IOS-XR
router pim
 address-family ipv4
  maximum routes 100
!
router igmp
 maximum groups 100

Note that we can also set the maximum IGMP groups on a per-interface basis as well:

#IOS-XE
int Gi2
 ip igmp limit 100

#IOS-XR
router igmp
 interface GigabitEthernet0/0/0/0
  maximum groups-per-interface 100

Additionally, we can limit which (S, G) pairs we accept Registers from on the RPs. This feature refrences an extended ACL, in which the first parameter is the source sender (not the router originating the Register, but the source itself) and the second parameter is the destination multicast group.

#R9
ip access-l ext ACCEPT_REGISTER
 permit ip host 7.1.7.1 any
!
ip pim accept-register list ACCEPT_REGISTER

#XR4
ipv4 access-list ACCEPT_REGISTER
 permit ip host 7.1.7.1 any
!
router pim
 address-family ipv4
  accept-register ACCEPT_REGISTER

We can verify this is working by sourcing traffic from another router. For example, if R4 tries to send traffic, we will see that R9 is not willing to act as an RP for this (S, G) pair.

We can also see this on XR4 if we source traffic from a router such as R3. We use debug pim protocol register:

Additionally we can rate limit the Register traffic on the RP. On IOS-XE this is simply a pps rate limiter. On IOS-XR this is the number of Register states. I believe this is how many (S, G) pairs can currently be in the Register state. I am not clear whether this command actually belongs on the FHR.

#R9
ip pim register-rate-limit 8000

#XR4
router pim
 address-family ipv4
  maximum register-states 250

Finally, we can limit the IGMP Joins based on the group address at the LHRs. This references a standard ACL that simply matches the group address. Anything denied by the ACL is not permitted as IGMP state on the LHR. Note that for IOS-XR, the ACL appears to be backwards. The source portion is really the group address.

#R5
ip access-l standard IGMP_FILTER
 permit 239.1.1.0 0.0.0.255
!
int Gi2.525
 ip igmp access-group IGMP_FILTER

#XR3
ipv4 access-list IGMP_FILTER
 10 permit ipv4 239.1.1.0/24 any
!
router igmp
 interface GigabitEthernet0/0/0/0.543
  access-group IGMP_FILTER

We can verify that the filter works by trying to join denied groups on the hosts.

#R2
int gi2.525
 ip igmp join-group 239.2.2.2

#R4
int gi2.543
 ip igmp join-group 239.4.4.4

A note on IPv6

IOS-XE does not appear to support limiting the number of IPv6 MRIB entires or rate limiting registers.

However, it does support ipv6 accept-register list <ACL>. It uses the same ACL format as IPv4, where the first parameter is the sending source address, and the second parameter is the group address.

ipv6 access-list ACCEPT_REGISTER
 sequence 10 permit ipv6 host 2008:8:3:8::3 any
!
ipv6 pim accept-register list ACCEPT_REGISTER

IOS-XE also supports limit the number of MLD state entries and filtering MLD Joins. The filter for MLD Joins uses the source as the first parameter and group address as the second parameter.

ipv6 mld state-limit 100
!
ipv6 access-list MLD_FILTER
 permit any ff08::2/128
!
int Gi1
 ipv6 mld access-group MLD_FILTER

IOS-XR appears to support everything for IPv6. Note that the IPv6 ACL syntax is flipped compared to IOS-XE. The group must go in the first parameter. (This is just like IPv4 IGMP).

#XR4
ipv6 access-list ACCEPT_REGISTER
 permit ipv6 host 2008:8:3:8::3 any
!
router pim
 address-family ipv6
  maximum routes 100
  maximum register-states 250
  accept-register ACCEPT_REGISTER

#XR3
ipv6 access-list MLD_FILTER
 10 permit ipv6 ff08::2/128 any
!
router mld
 maximum groups 100
 !
 interface GigabitEthernet0/0/0/0.543
  access-group MLD_FILTER
PreviousPIM-BiDir with Phantom RPNextPIM Boundaries with AutoRP

Last updated